AI Agent Safety: Guardrails, Money and Reversibility

Continue Press · July 2026 · Topic hub: AI agent safety

An AI agent is safe enough to use when three layers exist. You need a written never-do-alone list (money, publishing, messages, identity), reversibility for everything it touches so that git makes file mistakes fully recoverable, and an inbox where the agent asks instead of acting. None of these relies on the agent "being careful." They are structure, not trust, which is the whole point: safety you can verify beats safety you have to hope for. This page is the reading path that builds all three layers.

People worry about the wrong risk first. The fear is usually that the model will "decide" to do something reckless, but the real exposures are mundane and preventable: an unattended purchase, a premature publish, a message sent under your name, a file overwritten with no way back. Each of those has a structural fix that does not depend on the model's judgment at all, and put together they make the difference between an agent you supervise constantly and one you can leave running.

What should an AI agent never do without asking?

Five categories, and they should live in the contract file the agent reads on startup: spending money, creating accounts or publishing anything public, messaging real people, acting under your name or identity, and stepping outside its allowed set of tools and folders. Everything else it just does; these five it proposes and waits. The mechanism is an inbox file where the agent writes the request with enough context for a yes or no, and the list is not permanent - it shrinks over time as you grant specific, logged permissions the agent has earned. See what an agent should never do without asking for the full breakdown.

Start here: the reading path

Read these in order. The first two set the frame and the never-alone list; the rest cover guardrails, money specifically, reversibility with git, and how to catch the agent inventing facts.

FAQ

Can an AI agent spend my money without permission?

Not if the rule lives in the file the agent reads every session. Spending sits at the top of the never-alone list, so the agent proposes any purchase - a domain, a subscription, an API top-up - in the inbox and waits for an explicit yes, rather than acting. A budget cap alone is the weaker approach, because it authorizes a stream of small buys you never individually approved; the reliable pattern is propose-instead-of-buy, where nothing is spent until you say so in writing.

Can I undo an AI agent's mistakes?

For anything kept in files under git, yes, completely. Every checkpoint is a commit, so a bad edit is one command away from being reverted, and a session that went sideways can be rolled back to the last known-good state. This is why the checkpoint habit matters more than it looks: it is not bureaucracy, it is the mechanism that makes file mistakes 100% recoverable and lets you run the agent without holding your breath. The things that are not trivially reversible - money, messages, publishing - are exactly the things on the never-alone list.

Do written prompts alone make an agent safe?

No, because a rule typed into a single conversation lasts only as long as that conversation. The next session starts blank and never sees it, which is the same amnesia that defeats memory. Safety rules have to live in the contract file the agent reads on startup, so the guardrails survive every session and every restart. A prompt is a suggestion for one chat; a contract file is a standing rule.

Set the boundaries before you set the agent loose

The free chapter shows how guardrails become real: written into the file the agent reads on startup, so the never-alone list survives every session and every restart, instead of living in a prompt the next session never sees.